LORIS Release v18.0.0 (Release Candidate 1)

LORIS v18.0 is the next major release of LORIS. It adds the ability for users and examiners to be affiliated with multiple sites, as well as adding 433 other bug fixes and minor changes.

• Full list of changes

New Features

• [Core] Users and Examiners may be affiliated with more than one site.
• [Imaging Browser] A new Config module setting called "tblScanTypes" defines which modalities should have quality control performed. In the Imaging Browser, the "T1 Done" and "T2 Done" columns are now customizable to any set of modalities using this Config setting, and the "New Data" column shows only new scans from these designated modalities.
• [LorisForm] Readonly elements and Radio button support added in PHP-coded instrument forms

Updates and Improvements

• [Media] File names that are uploaded must now be unique.
• [BrainBrowser] The version of BrainBrowser included in LORIS is upgraded, which should fix issues loading scans from certain scanners but be otherwise unnoticeable.
• [Login] Captchas are improved by changing them to use the google reCAPTCHA service rather than a custom implementation

Notes for Existing Projects

• [API] The v0.0.1 is now deprecated and will be removed in a future release. v0.0.1 is a proper subset of v0.0.2, so upgrading should be transparent and only require changing "1" to "2" in any calls to the API.
• [Security] The old (unused) Password_MD5 column is removed. LORIS has used PHP's more secure password API for a number of releases, but the column remained so that existing users could still login (and the password hash would be upgraded upon login). The insecure hashes are now completely removed. As a result, passwords can no longer be reset via the MySQL commandline -- instead, run the new tools/resetpassword.php script, or have the user click the "Forgot your password" link.
• [Radiological Review] The Final Radiological Review module was removed, as it was only used by a single LORIS project and not sufficiently generic to be used by others. If you were using it and need access to it, please contact the loris-dev mailing list for help on how to install it into your project/ directory.
• [Config] In the config.xml file, the <database> subtag of CouchDB was renamed to <dbName> to avoid conflicts with the MySQL database config setting. If you have CouchDB setup in your config.xml, you'll need to rename this tag.

Upgrade Process

Unfortunately, due to changes in constraints in the database schema upgrading this version of LORIS is a multistep process. After updating the code, you must:

1. Source the SQL file SQL/Release_patches/17.0_To_18.0_upgrade_A.sql
2. Run the script php tools/DB_date_zeros_removal.php to remove invalid dates in MySQL.
3. Run the script php tools/populate_examiners_psc_rel.php to populate the new multisite examiners table with existing examiners.
4. Source the SQL file SQL/Archive/18.0/2016-06-01-update_zero_fields_statements.sql to add constraints on the tables modified by the script in step 2.
5. Source the rest of the schema changes in the file SQL/Release_patches/17.0_To_18.0_upgrade_B.sql
6. Review the file SQL/Archive/18.0/clean-up/Clean_up_patch.sql which removes and cleans up various columns after backing up any data in those tables.

Known Issues / Beta Features

LORIS Release v17.0.6

This fixes some bugs found since the LORIS v17.0.5 release. In particular:

• "required" rules were not working on multiselect elements in LorisForm. This is fixed.
• 2 more security issues are now fixed
• the ability to create candidates using the API was fixed for projects which do not use EDC. (The API was previously requiring the EDC be submitted even for post-natal research projects.)
• the VERSION should now be correctly updated. (v17.0.5 incorrectly labeled itself v17.0.4.)

LORIS Release v17.0.5

This release fixes bugs found since v17.0.4 was released. Users of LORIS v17.0.x are strongly encouraged to upgrade in order to receive the two security fixes (and 3 other minor bug fixes) described below.

LORIS instances which have a JWTKey setting which does not meet the new key strength requirement checks will need to change their JWTKey setting in the configuration module in order to use the API. (The new requirements are similar to the LORIS password requirements, except must also be at least 20 characters long since it's never directly entered by a user.)

Changes

• The check which verifies that a user is not downloading a file that they shouldn't have access to in get_file.php proved to be insufficient. It now performs an extra check.
• A check of key strength is added to the JWT tokens used for the API. (This JWT key is randomly generated by the LORIS installer, but older projects which upgraded LORIS may not have updated their keys to a secure key, so weak keys are ignored in order to ensure that upgraded LORIS instances don't have the default key.)
• A bug in an SQL query in the examiner module with MySQL 5.7 regarding the only_full_groupby setting has been fixed.
• A bug causing Date_taken to not be properly resolved in the conflict resolver has been fixed.
• The conflict resolver now shows Examiner's full name, rather than their ID, to make it easier to resolve data entry conflicts in examiner.

LORIS Release v17.0.4

This fixes a few minor bugs found since the v17.0.3 release. In particular:

• Required fields were not working properly if a user submitted the value "0"
• A bug was fixed preventing visits from being created in the API as documented
• Some changes were made to the DQT import scripts which should prevent unnecessary rebuilds and speed up the import process of large data sets

LORIS Release v17.0.3

This release fixes two security holes introduced in features added in the LORIS v17.0.0 including a remote code execution exploit in one of the brainbrowser ajax scripts. Some minor bug fixes found since v17.0.2 are also incorporated.

All users of the LORIS 17.0 branch are strongly urged to upgrade immediately.

LORIS Release v17.0.2

This release addresses various minor issues with LORIS 17.0.1.

Notably, it:

• Fixes an error in LorisForm where some dates weren't correctly being disabled when
• Fixes some bugs with MySQL 5.7
• Fixes a bug where downloading CSVs would break if the CSV had numeric values
• Improves date validation
• Fixes various problems with the data query module
• Fixes a bug where the consent module would not work if only one type of consent was specified.

LORIS Release v17.0.1

This release addresses various minor issues with LORIS 17.0.0.

In particular, minor bugs with LorisForm affecting some instruments were fixed, as well as bug fixes to the imaging browser, examiner module, and statistics module.

Anyone using LORIS 17.0.1 should upgrade to this release.

See here for a complete list of changes.

LORIS Release v17.0.0

Full list of changes

Only PHP 7 and MySQL 5.7 are supported for Loris 17.0.

New Features

• LorisForm replaces QuickForm (wiki)
• Issue Tracker module for reporting and following up on bugs and data issues
• MRI scans that have failed protocol checks are now viewable in BrainBrowser #2219
• drop-down Help text can be written as a markdown file, instead of stored in a database table, for new-style modules #2196
• Add extensions to Content-Security Policy for user-hosted content via the Config module #2204
• Examiners can be added based on User Accounts #2190
• Caveat added at the visit level for Imaging data #2135

Install Process

• Web-based Install tool now covers many steps of the install process
• New Vagrantfile to quickly deploy LORIS #2164

Updates and Improvements

• Candidate Information (Candidate Parameters) module re-designed
• Improved messaging for Imaging Uploader and Insertion process
• Visit labels should not contain underscores, for imaging insertion purposes
• Genomic Browser new progress bar for file upload #2231
• project override issue resolved #2187
• Better distinction between human and phantom scans (#2189)
• For projects using the imaging uploader's auto-launch insertion feature, log files are deleted only if insertion was successful #2252
• Final Radiological Review module shows whether T1 was successfully loaded in Loris #2175
• Various UI improvements, cleanup, and bug fixes
• Media module only shows data from user site by default #2469

Notes for Existing Projects

Follow steps for Updating your LORIS

Be sure to apply Release Patches since your last update, in release order -- including patches from all minor releases.
Note that create temporary tables mysql permission is required to run this patch

• Visit labels should not contain underscores, for imaging insertion purposes
• PHP 7 and MySQL 5.7 are supported for Loris 17.0. Timestamp fields in custom tables may require updating for MySQL 5.7 (#2222) Deprecated PHP 5* functions updated (#2370)
• Update all PHP QuickForm instruments, since HTML QuickForm is now replaced by LorisForm. No other code, configurations, templates, tables or data will be affected or require adjustment.
• If your dashboard loads but no other modules load, ensure that your /var/apache2/apache2.conf file is set to AllowOverride All in the section <Directory /var/www/> to enable re-write rules (based on htdocs/.htaccess file)
• If clicking Save or Submit form buttons generates and error, check the Configuration module and ensure the url (WWW section) is set to your host. (Loris 16.0 instructions may have recommended that you set this to the empty string)
  *For projects upgrading to 5.7, see PR #2444 for script to remove zero dates.

Known Issues / Beta features

• Issue Tracker module Beta features include: Watching (email notifications for users), and association of subjectID and timepoints with an issue

LORIS Release v16.1.3

This fixes some bugs with filters in the Data Query Tool in Loris 16.1.2. Other modules are unaffected.

• Fixes bug where adding filters returned no data.
• Adds user feedback that data is loading.
• Fixes bug with downloading files sometimes not working.
• Optimizes the time it takes to run queries. It was previously re-requesting the same data more times than it needed to.

Current users of 16.1.2 should upgrade to this release, as changes should be minimal.

LORIS Release v16.1.2

This release fixes a recently discovered security vulnerability, where AJAX scripts could return data to users who are not logged in.

Users of 16.* are strongly encouraged to upgrade immediately.